Nortel IP Phone Inter-Working with Cisco L2 Switches

Technical Configuration Guide Nortel IP Phone Inter-Working with Cisco L2 Switches

Nov 10th, 2008 Issue: 1.1

Nortel VoIP Clients on Cisco L2 devices Configuration Guide August 2008

______________________________________________________________________________________________________ 1

Copyright © 2007-2008 Nortel Networks All rights reserved. March 2008 The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. Trademarks Nortel, the Nortel logo, the Globemark, Unified Networks, and BayStack are trademarks of Nortel Networks. Cisco, Cisco IOS, Cisco Systems are trademarks of Cisco Systems. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate. All other Trademarks are the property of their respective owners.


______________________________________________________________________________________________________ 2

TABLE OF CONTENTS

INTRODUCTION ............................................................................................................................. 3

BASIC CONFIGURATION NOTES ................................................................................................. 4

HARDWARE AND SOFTWARE VERSIONS ................................................................................. 4

VOIP FEATURES. ........................................................................................................................... 5

INTEGRATION NOTES AND LIMITATIONS .................................................................................. 6

NETWORK TOPOLOGY ................................................................................................................. 7

POE 802.3AF POWER OVER ETHERNET OVERVIEW AND CONFIGURATION ....................... 7

PORT LINK SPEED 802.3AB CONFIGURATION ........................................................................ 13

VLAN AND QOS 802.1Q/P VOICE AND DATA ........................................................................... 14

QOS 802.1Q/P QUALITY OF SERVICE ....................................................................................... 16

DHCP DYNAMIC HOST CONFIGURATION PROTOCOL ........................................................... 21

EAPOL 802.1X (EXTENSIBLE AUTHENTICATION PROTOCOL OVER LAN) .......................... 22

LLDP 802.1AB (LINK LAYER DISCOVERY PROTOCOL) ......................................................... 25

STP 802.1W (SPANNING TREE PROTOCOL) ............................................................................ 28


______________________________________________________________________________________________________ 3

Introduction

The purpose of this document is to detail the steps and configuration necessary for Cisco L2 devices to interoperate with Nortel IP Phones. This document doesn’t include every possible combination of hardware, software, Protocol or feature testing scenarios.


______________________________________________________________________________________________________ 4

Basic Configuration Notes

The table below is based on configuration shown in the diagram on page 7, the focus of this TCG is how to configure Cisco Cat 3750 L2 switch to interop with Nortel IP set. 1) All configurations and testing was done with IPv4 2) Command Line Interface (CLI) was used for configuration. Cisco devices support web based configuration with limitations. 3) Configurations recommended to use with Nortel IP Phone are in bold. 4) It is assumed that you know how to configure a Nortel IP Phone, DHCP and RADIUS Server. options.

Hardware and Software Versions

Nortel

Cisco LAN Infrastructure

Quantity Hardware Software Version

1 Cisco 3750 L2 Switch 12.2(37)SE Other Data Applications


1 DHCP Server Microsoft Windows 2003 SP2

1 Cisco ACS (RADIUS) Cisco ACS 3.3


1 Nortel (CS 1000) Communication server 1000 (CPPM) 5.50J

1 Signaling Servers (CPPM) 5.50.12

1 (SPS) SIP proxy Server HP DL320 5.50.12

2 Nortel IP Phone 1140E 0625C4D

1 Nortel Call Server Patch(s) Deplist

1 Signaling Server Patch(s) Deplist


______________________________________________________________________________________________________ 5

VoIP Features.

• Power over Ethernet (PoE) 802.3af • Link, Duplex, Auto-negotiate, 1000MB, 100MB, 10MB • Virtual Local Area Networking (VLAN) tagging 802.1Q • Quality of Service (QoS) 802.1Q/p • Dynamic Host Configuration Protocol (DHCP) • Extensible Authentication Protocol (EAP) 802.1x • Link Layer Discovery Protocol (LLDP) 802.1ab • Spanning Tree Protocol (STP) 802.1w


______________________________________________________________________________________________________ 6

Integration Notes and Limitations

This TCG covers standalone Nortel IP Phone sets and how they can be deployed on various Cisco switches. It will cover features on Cisco switches related to VoIP with configuration examples. In this guide the Nortel IP Phone 1140E is configured to use both Data and Voice VLANs. The focus of this guide is to configure Cisco switch to interoperate with Nortel IP Phones. It is assumed that you know how to configure the Nortel IP Phone, DHCP server and a RADIUS Server.


______________________________________________________________________________________________________ 7

Network Topology

PoE 802.3af Power over Ethernet Overview and Configuration

Power over Ethernet (PoE) is defined by IEEE 802.3af to deliver up to 12.95 watts over structured cabling. The Power-over-Ethernet (PoE) technology provides electrical power via standard Cat-5 Ethernet cables, thereby eliminating the need for wall adapters or other external power sources for equipment connected in an Ethernet network. The two major components in a PoE system are the power sourcing equipment (PSE) that provides the power, and the powered device (PD), that receives and uses this power. On a Cisco Catalyst 3750 24-port PoE switch, each PoE port provides up to 15.4 W of power. On a 48-port PoE switch, any 24 of the 48 PoE ports provide 15.4 W of power, or any combination of ports provide an average of 7.7 W of power at the same time, up to a maximum switch power output of 370 W. In our setup (PSE) Power Sourcing Equipment is the Cisco 3750 L2 switch and (PD) Power Device is the Nortel IP Phone 1140E(s).


______________________________________________________________________________________________________ 8

IEEE 802.3af PSE and Powered Device Power Classifications


______________________________________________________________________________________________________ 9

PoE Cisco Switch Configuration The Cisco Catalyst 3750-24PS and 3750-48PS support 370 Watts of inline power, and should support class 3 PDs (15.4 Watts) on 24 ports or 7.7 Watts on 48 ports. By default, the power mode of a port is set to auto. Use the command show power inline to check the inline power configuration and status. Please see example at the bottom of the page. There are three modes of PoE configuration on Cisco Cat 3750 Switch.

1) Auto (Default, recommended with Nortel IP phones) The switch automatically detects if the connected device requires power. If the switch discovers a powered device connected to the port it grants power.

2) Static

The switch pre-allocates power to the port and guarantees that power will be available for the port even when no powered device is connected, the switch allocates the port configured maximum wattage. Any powered device that uses less than or equal to the maximum wattage is guaranteed to be powered when it is connected to the static port. However if the powered-device IEEE class is greater than the maximum wattage, the switch does not supply power to it.

3) (Never) Off The switch disables powered-device detection and never powers the PoE port. Use this mode only when you want to make sure power is never applied to a PoE-capable port.

Use the following commands to configure the port for desired PoE. From the CLI enter enable mode:- configure terminal interface interface-id (for 3750 interface-ID = Gi1/0/1) power inline auto (This is the preferred configuration for Nortel IP Phones) power inline auto max <4000-15400> milli-watts (To limit the power in auto mode) power inline static (To turn on power to the port even if there is no PoE device detected) power inline static max <4000-15400> milli-watts (To limit the power in static mode) power inline never (To turn off power to the port) power inline consumption <4000-15400> milli-watts (To set the amount of power consumption) Use the following CLI command to see PoE port configurations. Clab_3750#sh power inline Module Available Used Remaining (Watts) (Watts) (Watts) ------ --------- -------- --------- 1 370.0 114.8 255.2 Interface Admin (Watts) Power Class Max Oper Device --------- ------ ---------- ------- ------------------- ----- ---- Gi1/0/1 auto on 15.4 Ieee PD 3 15.4 (Cisco reports class 3 device for 1140E)


______________________________________________________________________________________________________ 10

Gi1/0/2 static on 15.4 Ieee PD n/a 15.4 Gi1/0/3 off off 0.0 n/a n/a 15.4 Issue with Oversubscription of Power Both flavours of Cisco Cat 3750, the 24 and 48 port versions support 370 watts of inline power. If you are using Cat 3750 with 48 ports and all the ports are populated with Nortel Class 3 phones like 1140E and configured for “power inline auto” then you will Over-subscribe Power and likely damage the switch. The Cisco 3750 switch allows The Power Inline Consumption command to configure the actual power requirements of the powered device. The end user can override the powered device classification setting. Even though the Nortel IP Phone 1140E is a class 3 device its actual power consumption in worse case scenario is 10.5 watts. In order to restrict max power of 10500 milli-watts or 10.5 watts to each port use the following global configuration command. Config t power inline consumption default 10500 The switch supports 370 watts of total power to all 48 ports or 7.7 watts per port (370 / 48 = 7.7watts). To calculate how many Nortel IP Phones can the switch support. (Please use the chart below as a guide line for Nortel IP Phone Power consumption) For Nortel IP Phone 1140E 370 / 10.5 = 35. A Cat 3750 48 port switch can support 35 Nortel IP Phones that consume maximum of 10.5 watts of power. Use the following command to verify the settings. sh power inline Interface Admin Oper Power Device Class Max Gi1/0/1 auto on 10.5 Ieee PD 3 15.4


______________________________________________________________________________________________________ 11

Table below displays the average power consumed for each Nortel IP Phone set.

Model PEC Description

Power budget (802.3af)

PowerDraw Typical (watts)

PowerDraw Max (watts) Notes

Nortel IP Phone 2000 Series

2001 NTDU90AC70E6 IP Phone 2001 (Charc/Bez)

Icon Keys w/o PS (RoHS) Class 2 3.2 4.2

NTDU90BC70E6 IP Phone 2001 (Charc/Bez) Eng Text Keys w/o PS (RoHS) Class 2 3.2 4.2







2007 NTDU96AC70E6 IP Phone 2007 (Charc/Bez) w/o PS (RoHS) Class 3 8.0 13.0

2033

NTEX11AA70E6

IP Audio Conference Phone 2033 Package (ROHS) - Phone, with PoE Module, without Extension Microphones Class 3 8.5 10.5

NTEX11BA70E6

IP Audio Conference Phone 2033 Package (ROHS) - Phone with PoE module, with 2 Extension Microphones Class 3 8.5 10.5

NTEX11EA70E6

IP Audio Conference Phone 2033 Package (ROHS) - Phone with PoE Module, Universal Power Supply. [Please order NTTK power cord separately] Class 3 8.5 10.5

NTEX11FA70E6

IP Audio Conference Phone 2033 Package (ROHS) - Phone with PoE module, Universal Power Supply with 2 Extension Microphones- [Please order NNTK power cord separately] Class 3 8.5 10.5


1110 NTYS02AAE6 IP Phone 1110 with Icon

keycaps without power supply Class 2 2.8 5.89

NTYS02BAE6

IP Phone 1110 with English Text keycaps without power supply Class 2 2.8 5.89

1120E

NTYS03ACE6 IP Phone 1120E - Graphite with icon keycaps, no power supply (RoHS)

Class 3 6.0 / 8.0 8.0 / 10.5

first number 10/100 - second number 10/100/1000

NTYS03BCE6

IP Phone 1120E with English Text keycaps without power supply Class 3 6.0 / 8.0 8.0 / 10.5

first number 10/100 -


______________________________________________________________________________________________________ 12

second number 10/100/1000

1140E

NTYS05ACE6 IP Phone 1140E - Graphite with icon keycaps, no power supply (RoHS)

Class 3 6.0 / 8.0 8.0 / 10.5


NTYS05BCE6 IP Phone 1140E - Graphite with Eng keycaps, no power supply (RoHS)

Class 3 6.0 / 8.0 8.0 / 10.5


1150E

NTYS06AAE6 IP Phone 1150E Graphite with Icon keycaps, without power supply (RoHS)

Class 3 5.0 / 7.2 6.8 / 9.6


NTYS06BAE6 IP Phone 1150E Graphite with English Text keycaps, without power supply (RoHS)

Class 3 5.0 / 7.2 6.8 / 9.6



1210 NTYS18AA70E6 IP Phone 1210 Charcoal with

Icon Keys Class 2 3.2 4.6

NTYS18BA70E6 IP Phone 1210 Charcoal with English Text Keys Class 2 3.2 4.6








______________________________________________________________________________________________________ 13

Port Link Speed 802.3ab Configuration

The IEEE 802.3ab auto-negotiation protocol manages the switch settings for speed and duplex. The Nortel IP phones are capable of:- 1) Auto-negotiate (Recommended settings) 2) 10 MB half/full duplex 3) 100 MB half/full duplex Let both ports Nortel IP phone and Cisco L2 auto-negotiate both speed and duplex, the devices will connect using the optimal speed. The other option is to manually set the speed and duplex parameters for the ports on both ends of the connection. This may be desired in certain scenarios where auto-negotiations fail but is not recommended. Use the following CLI command to configure link speed for the port.. configure terminal interface interface-id (for 3750 interface-ID = Gi1/0/1) Speed 10 (Force 10 Mbps operation) Speed 100 (Force 100 Mbps operation) Speed 1000 (Force 1000 Mbps operation) Speed auto (Enable auto-negotiation, Recommended settings for Nortel IP Phones) duplex auto (Enable AUTO duplex, Recommended settings for Nortel IP Phones) duplex full (Force full duplex operation) duplex half (Force half-duplex operation) Use the following CLI command to see the port speed settings on Cisco 3750 switch. In the example below the switch port Gi1/0/1 is configured for auto-negotiate and the Nortel IP phone 1140E is also configured for auto-negotiate. Please note the settings in bold below, it connected at the optimal speed of 1000MB and full duplex. a-full means auto-negotiate full duplex, a-1000 means auto-negotiate connected at 1000MB. Clab_3750#sh int gi1/0/1 status Port Name Status Vlan Duplex Speed Type Gi1/0/1 connected 110 a-full a-1000 10/100/1000BaseTX


______________________________________________________________________________________________________ 14

VLAN and QoS 802.1Q/p Voice and Data

A VLAN is a switched network that is logically segmented. Any switch port can belong to any VLAN (Voice, Data or both). Cisco Catalyst 3750 ports should be configured as access ports. The Nortel 1140E IP Phone will use the VOICE VLAN for voice traffic and the PC attached to the Nortel IP Phone 1140E data port will use the access VLAN for data traffic. (Please see topology on page 7) The voice VLAN feature enables Cisco 3750 access ports to support two VLANs (access/native and voice) without turning on 802.1Q trunking.

Since the introduction of IP Telephony from Nortel, the design recommendation has been to segregate the voice traffic from the data traffic using VLANs. There are several advantages to separating this traffic at the edge of the network:

Simplifies the implementation of QoS for the IP Telephony phonesets. The network administrator can simply enable QoS on a VLAN level – all traffic on the voice VLAN is prioritized over all the other VLANs.

Isolating the voice traffic provides a level of security for the IP Telephony. Any broadcast or multicast storms that affect the data VLANs will not propagate to the voice VLANs and therefore will not adversely affect the voice traffic.

Creating separate voice VLANs allows the network administrator to create simple traffic filters that will not allow non-voice traffic on those VLANs – for example, if a user plugged their workstation into the voice VLAN, they would not be able to get anywhere in the network.

Troubleshooting application level or network level problems is simplified by isolating traffic flows into different VLANs. Understanding that no “normal” data traffic is traversing the voice VLANs eliminates a variable in the troubleshooting process.

Use the following CLI command to configure port VLANs for both voice and data.. configure terminal interface interface-id (for 3750 interface-ID = Gi1/0/1) switchport mode access (Set trunking mode to ACCESS unconditionally) switchport access vlan 10 (VLAN when this port is in access mode, this is data VLAN) switchport voice vlan 20 (VLAN for voice traffic, this is for Nortel IP Phone) Use the following CLI command to see the port VLAN settings on Cisco 3750 switch. In the example below the switch port Gi1/0/1 is configured for Data VLAN 10 and voice VLAN 20. Show config (For port 1/0/1 that we use for testing Nortel IP Phone) interface GigabitEthernet1/0/1 switchport access vlan 10 (This is the default VLAN or data VLAN) switchport mode access (Ths port is set for access mode) switchport voice vlan 20 (This is the Voice VLAN)


______________________________________________________________________________________________________ 15

The 1140E Nortel IP phone is configured to use both Voice and Data VLANs. Please see the following menu driven options. Voice VLAN: No VLAN DHCP (This is the preferred method, DHCP server to provision VLAN ID) Enter VLAN ID (Manually enter VLAN ID if no DHCP server) Data VLAN: No VLAN Enter VLAN ID (Enter the VLAN ID if tagging is required)


______________________________________________________________________________________________________ 16

QoS 802.1Q/p Quality of Service

Sound quality of an IP phone call can deteriorate if its traffic does not recive proper QoS treatment by the network. It is critical to the success of an IPT deployment that quality of service (QoS) either based on IEEE 802.1P class of service (CoS) or DSCP is implemented. QoS uses classification and scheduling to send network traffic from the switch in a predictable manner. The Nortel 1140E IP Phone is a configurable device and can be configured to forward traffic with either an 802.1P or DSCP QoS marking. You can configure the edge switch to either trust or remark the QoS settings assigned by an IP Phone. By default, Nortel’s IP phones will mark traffic with 802.1p bit set to 6 and the DiffServ value set to Explicit Forwarding (EF) 46 for Voice Traffic and 40 for Signalling Traffic. The simplest approach is to construct your network QoS such that there are only 3 levels of traffic priorities. One priority is for VoIP media (bearer) traffic. The second priority is for VoIP signaling traffic. The third priority is for best-effort IP data traffic. The following markings will be used for Voice, Signaling and Data Traffic.

Traffic Type Traffic Classification DSCP Value Voice Media Expedited Forwarding 46

Voice Signaling Class Selector 40 Data Traffic Best Effort 0

Use separate VLANs for Voice and Data. Use VLAN 10 for Data traffic - PC connected to the IP Phone. Use VLAN 20 for Voice traffic. Voice traffic is tagged according to 802.1Q encapsulation rules. Data traffic is unincapsulated and LAN switch places Data into access VLAN. Please Note:

The implementation of QoS on a converged infrastructure varies greatly from network to network. There is no one correct solution or simple cookbook for deploying QoS. It is best to understand the overall network and the applications that are deemed critical in order to design a QoS strategy. The following examples are intended as a guideline for the implementation of QoS on a Cisco edge switch with Nortel IP Phone.

There are four general steps to configure QoS. 1) Classification of Traffic 2) Create Policy 3) Marking traffic 4) Queuing of both Ingress and Egress ports

In the Cisco Catalyst 3750 Switch, you can classify the frames either based on the incoming CoS/DSCP values or based on the ACL. The configuration based on the incoming CoS/DSCP value is achieved in three different ways:

• Port based configuration using the mls qos interface based commands


______________________________________________________________________________________________________ 17

• MQC based configuration using class−map and policy−map • VLAN based configuration

Port based Configuration Config terminal (Enter global configuration mode) mls qos (Enable QoS globally) mls qos map cos-dscp 0 8 16 40 32 46 48 56 (Define ingress CoS-to-DSCP mappings) Intrerface level interface GigabitEthernet1/0/1 (Specify the physical port) switchport access vlan 10 (Native VLAN) switchport mode access (Set the port to access mode) switchport voice vlan20 (Voice VLAN) priority-queue out (Enable the egress exepedite queue) mls qos trust dscp (Trust IP Phone DSCP Values) spanning-tree portfast (For Nortel IP Phones) The Nortel IP Phone marks the voice payload with CoS 6 and DSCP EF when it sends the traffic to the switch. When the traffic enters the switch port Gi 1/0/1 (in our example), the switch trusts the CoS value. Then, the switch derives the DSCP value 48 for the CoS value 6 from the CoS−DSCP default table. Please see the output below. Clab_3750#sh mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------- dscp: 0 8 16 26 34 46 48 56 We need to map CoS value of 6 to DSCP value of 0x2E or 46 (Explicit Forwarding) for Nortel IP Phone. Config terminal Enter global configuration mode. mls qos map cos-dscp 0 8 16 24 32 40 46 56 (DSCP 40 for Signaling 46 for Voice and 0 for Data) Please note that CoS mapping is changed, CoS of 6 maps to DSCP value of 46. Clab_3750#sh mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------- dscp: 0 8 16 26 34 40 46 56


______________________________________________________________________________________________________ 18

(MQC) Mudular QoS CLI (Policy Based) MQC can be used to classify and mark the incoming packets and can be used instead of port specific configuration. You can also mark the incoming packets with the policy−map. The requirements of this configuration are as follows assuming you have Voice and Data VLANs configured with a PC on PC port.

• Trust the DSCP values of the IP phone traffic. • Mark DSCP value of the PC application. • Untrust all other traffic from the PC.

First classify the Nortel IP phone traffic the Nortel IP phone belongs to voice VLAN 20 and has an IP address in the 10.10.132.1 subnet. Second classify the PC traffic according to your requirements. The PC on the Nortel IP Phone is placed in subnet 10.10.133.1. ACL can be used to restrict PC access based upon source and destination IP address and UDP/TCP ports. In our setup we will use any source or destination address from the PC but will restrict access to TCP port 23 for a telnet session only. Create (ACL) Access Control List for both Voice and Data Traffic ip access−list extended voice−traffic (Create Access list for Voice traffic) permit ip 10.10.132.0 0.0.0.255 any (Create filter, allow all VoIP traffic) ip access−list extended data−traffic (Create Access list for Data traffic) permit tcp any any eq 23 (Create filter, allow only Telnet traffic for data) Create Class Map for both Voice and Data class−map voice (Create a class map and call it voice) match access−group name voice−traffic (Apply ACL of voice-traffic) class−map data (Create a class map and call it data) match access−group name data-traffic (Apply ACL of data-traffic) Create Policy policy−map voice−policy (Create a policy map and call it voice-policy) class voice (Class is voice from class mapping above) trust dscp (All voice traffic DSCP will be trusted) class data (Class is data from class mapping above) set dscp af13 (af13 maps to CoS 1 data low priority) Apply Policy to Interface interface gigabitEthernet 1/0/1 (Select the interface to apply the above policy) switchport access vlan 10 (Default VLAN or data VLAN) switchport mode access (This port is set for access mode) switchport voice vlan 20 (This is the Voice VLAN) spanning−tree portfast (Sets the port for fast STP convergence)


______________________________________________________________________________________________________ 19

service−policy input voice−policy (Apply created QoS policy “voice-policy”) Enabling VLAN-Based QoS on Physical Ports Please use the policy map “voice-policy” created above and apply to the VLAN in question. Configure terminal (Enter configuration mode) interface Vlan20 (Select the VLAN interface to apply QoS policy) service-policy input voice-policy (Apply the voice-policy to this port) interface GigabitEthernet1/0/1 (Specify the physical port) mls qos vlan-based (Enable VLAN-based QoS on the port) Next step is congestion management and avoidance, the steps are queuing, dropping and Scheduling of packets. Cisco Cat 3750 Switch has two ingress queues, after the traffic is classified and marked with QoS labels, you can assign the traffic into two different queues based on the QoS labels. Weighted tail drop (WTD) is used to manage the queue lengths and to provide drop precedence for different traffic classifications. Packets that are marked with CoS of 6 which map to DSCP of 46 (default for Nortel IP Phone) are placed in queue 2. Queue 2 is the priority queue by default. Cisco default queue settings and configuration show mls qos input-queue Queue : 1 2 ---------------------------------------------- buffers : 90 10 bandwidth : 4 4 priority : 0 10 threshold1: 100 100 threshold2: 100 100 Queue 2 is the priority queue the SRR services the priority queue for its configured weight which is 10%. Then, SRR shares the remaining bandwidth with both queues and services them as specified by the configured weights. queue 1 and queue 2 are serviced at the rate of 45% each, 90 percent divided by two is 45 percent. Cisco IOS allocates default space to queue 1 and queue 2, you can change buffer allocation using the following CLI. mls qos srr−queue input buffers 70 30 show mls qos input-queue Queue : 1 2 ---------------------------------------------- buffers : 70 30 bandwidth : 4 4 priority : 0 10 threshold1: 100 100 threshold2: 100 100


______________________________________________________________________________________________________ 20

Now the SRR will service priority queue with weight of 30 and the remaining 70 percent will be shared by queue 1 and queue 2 that is 35 percent each. Cisco Qos bandwidth settings and configuration Use the following command to change the bandwidth allocation to each queue. In our setup lets assume our bandwidth is 1GB mls qos srr−queue input bandwidth 90 10 mls qos srr−queue input priority−queue 2 bandwidth 30 show mls qos input-queue Queue : 1 2 ---------------------------------------------- buffers : 70 30 bandwidth : 90 10 priority : 0 30 threshold1: 100 100 threshold2: 100 100 By default, queue 2 is the priority queue and 10% of total bandwidth is allocated to this queue. Out of total bandwidth of 1000MB SRR will service 30% of 10000MB to queue 2 first which is 300MB. The remaining 700MB bandwidth is shared by queue 1 and queue 2. According to our configuration, queue 1 is serviced 70% of 700MB and queue 2 is again serviced 10% of 700MB. This 700MB bandwidth is serviced by SRR in shared mode.


______________________________________________________________________________________________________ 21

DHCP Dynamic Host Configuration Protocol

The following configuration example covers setting up Cisco Cat 3750 to support both voice and data VLANs. With one DHCP server providing IP Addresses to multiple subnets the L3 device has to be configured to forward DHCP requests from the clients to the DHCP server. In our setup we have two VLANs, Voice and Data. The DHCP server resides on the Data VLAN but can serve clients on Voice VLAN if the router is configured to forward DHCP requests. From command line interface go to enable mode. configure terminal (Switch to configuration mode) interface Vlan20 (This is Voice VLAN with Nortel IP Clients) ip address 10.10.132.1 255.255.255.224 (IP address of the Cisco interface) ip helper-address 10.10.133.35 (This is the IP address of the DHCP server) In the above setup the DHCP server IP address is 10.10.133.35 which is on Data VLAN. The clients are on Voice VLAN 10.10.132.1. Cisco router will forward all DHCP requests from Nortel IP clients on Voice VLAN to the DHCP server if IP helper-address is used. Note:

• The above example applies to all the interfaces on the Cisco L2/L3 switch with Nortel IP clients configured for partial or full DHCP.

• VLAN interface with DHCP server on the same VLAN do not need any helper address.


______________________________________________________________________________________________________ 22

EAPoL 802.1x (Extensible Authentication Protocol over LAN)

Extensible Authentication Protocol over LAN is a port-based network access control protocol. EAPoL provides a method for performing authentication at the edge of the network in order to obtain network access based on the IEEE 802.1X standard. 802.1X specifies a protocol used between devices (EAP Supplicants) that desire access to the network and devices providing access to the network (EAP Authenticator). Cisco L2 controls the physical access to the network based on the authentication status of the client. The Cat 3750 acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. Nortel IP Phones on Unistim 3 and latter support three EAP types

• EAP-MD5 • EAP-PEAP • EAP-TLS

Please note that Cisco Cat 3750 is transparent to EAP types, the configuration for all three is the same on the switch. The client (Supplicant) and the Radius Server (Authentication Server) should be configured accordingly. No special configuration is required on the Switch (Authenticator) unless other wise noted.

In our setup:- EAP Supplicant = Nortel IP Phone EAP Authenticator = Cisco Cat 3750 L2 switch EAP Authentication Server = RADIUS server (This can be Cisco ACS or FreeRADIUS) The Nortel IP Phone should be configured for :-

Enabled 802.1x (EAP) (check box) Device ID = nortel_set (ID you configure on RADIUS server) Password = 12345 (password string also configure on RADIUS server) Configuring the port for 802.1x Authentication on Cisco Cat 3750 configure terminal aaa new-model (Enable AAA) dot1x system-auth-control (Enable 802.1x authentication globally on the switch) interface interface-id (Specify the interface to configure for AAA, e.g. Gi1/0/1) dot1x port-control auto (802.1x authentication enabled on the port)

Configuring Cat 3750 switch to use RADIUS Server for authentication Config t


______________________________________________________________________________________________________ 23

host 10.10.133.36 auth-port 1812 key secret_value Note:

• Host IP is the IP address of RADIUS Server • Auth-port is the UDP authentication port configured on RADIUS server • Key is the password configured on the RADIUS server for clients authentication

Configuring Periodic Re-Authentication You can enable periodic 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between re-authentication attempts is 3600. configure terminal dot1x reauthentication dot1x timeout reauth-period “seconds” (seconds = 1 to 65535)

The minimum re-authentication period when EAP-MD5 and EAP-PEAP are enabled is 10 seconds. When EAP-TLS is enabled, the minimum re-authentication period is 20 seconds.

Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for 60 seconds which is the default and then tries again, The dot1x timeout quiet-period controls the idle period. You can provide a faster response time to the user by entering a smaller number than the default. configure terminal interface GigabitEthernet1/0/1 dot1x timeout quiet-period seconds Changing the Switch-to-Client Retransmission Time The client responds to the EAP request from the switch with an EAP response. If the switch does not receive this response, it waits for 30 seconds and then resends the frame. configure terminal interface GigabitEthernet1/0/1 dot1x timeout tx-period “seconds” (seconds = 15 to 65535, defaults is 30) Configuring the Host Mode To allow multiple hosts (clients) on an 802.1x-authorized port that has the dot1x port-control interface configured for auto. If you have a PC using the PC port on Nortel IP phone please use the following configuration to configure the port for multi host mode. configure terminal interface GigabitEthernet1/0/1 dot1x host-mode multi-host Configuring a Guest VLAN Clients that are not 802.1x-capable can use guest VLAN when the server does not receive a response to its EAP request. Clients that are 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in both single-host or multiple-hosts mode. configure terminal


______________________________________________________________________________________________________ 24

interface GigabitEthernet1/0/1 dot1x guest-vlan vlan-id


______________________________________________________________________________________________________ 25

LLDP 802.1ab (Link Layer Discovery Protocol)

IEEE 802.1AB LLDP is a Layer 2 neighbor discovery protocol. It defines a standard method for Ethernet network devices such as switches, routers and IP Phones to advertise information about themselves to other nodes on the network and store the information they discover. This section describes how to configure the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) on the Cisco Cat 3750 switch. The Nortel IP Phone can be set up for ether LLDP VLAN Name or LLDP-MED Network Policy but not both. The Nortel IP Phone can be configured for :-

Enabled 802.1ab (LLDP) (check box to enable LLDP) VoiceVLAN: LLDP VLAN Name (Cisco switch do not support VLAN Name) or LLDP MED (This is the preferred option) DataVLAN: No VLAN (Use this option if you have PC on PC port) LLDP VLAN Name (Cisco switch do not support VLAN Name) Enter VLAN ID (Enter the VLAN ID if tagging is required)

The Nortel IP Phone will transmit following LLDP messages:- Chassis ID Port ID Time To Live End of LLDPPDU Port Description System Description System Capabilities Port VLAN ID Port And Protocol VLAN ID VLAN Name Protocol Identity MAC/PHY Configuration Status Power Via MDI Link Aggregation Maximum Frame Size LLDP-MED Capabilities Network Policy Extended Power-via MDI Inventory Firmware Revision Inventory Manufacturer Name Inventory Model Name


______________________________________________________________________________________________________ 26

The Nortel IP Phone is capable of receiving the following LLDP messages but not all are transmitted by Cisco switch:- Chassis ID Port ID Time To Live End of LLDPPDU System Capabilities VLAN Name (voice and data VLAN configuration) MAC/PHY Configuration Status (link mismatch detection) LLDP-MED Capabilities Network Policy (voice VLAN and QoS configuration) Location Identification (store in the phone and forward to the server) Cisco Cat 3750 default LLDP settings are as follows, Dafaults are used to interop with Nortel sets unless other wise noted. LLDP global state Enabled LLDP holdtime (before discarding) 120 seconds LLDP timer (packet update frequency) 30 seconds LLDP reinitialization delay 2 seconds LLDP tlv-select Enabled to send and receive all TLVs. LLDP interface state Enabled LLDP receive Enabled LLDP transmit Enabled LLDP med-tlv-select Enabled to send all LLDP-MED TLVs Please note: LLDP can be enabled or disabled globally and at an Interface level. configure terminal lldp run (To enable LLDP globally) no lldp run (To disable LLDP globally) interface GigabitEthernet1/0/1 (To configure LLDP at interface level) lldp transmit (LLDP packets are send on this interface) lldp receive (LLDP packets are received on this interface) no lldp transmit (No LLDP packets are send on this interface) no lldp receive (No LLDP packets are received on this interface) Use the show lldp command to verify LLDP settings. Clab_3750#sh lldp Global LLDP Information: Status: ACTIVE LLDP advertisements are sent every 30 seconds LLDP hold time advertised is 120 seconds LLDP interface reinitialisation delay is 2 seconds


______________________________________________________________________________________________________ 27

Clab_3750#sh lldp int GigabitEthernet1/0/1 GigabitEthernet1/0/1: Tx: enabled Rx: enabled Tx state: IDLE Rx state: WAIT FOR FRAME Please Note: The preferred method to assign VLANs to Nortel IP Phones is LLDP if available. The Network policy TLV allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and Layer 3 attributes for the specific application on that port. The switch can notify a phone of the VLAN number that it should use. The phone can connect into any switch, obtain its VLAN number, and then start communicating. By default all LLDP TLVs are enabled. You can enable the TLVs globally or at an interface level. Config t (Enter Configuration mode) interface GigabitEthernet1/0/1 (For interface level configuration) lldp med-tlv-select (For LLDP TLV selection, see 4 choices below) inventory-management (LLDP MED Inventory Management) location (LLDP MED Location TLV)

network-policy (LLDP MED Network Policy TLV) power-management (LLDP MED Power Management TLV)

lldp med-tlv-select network-policy (To assign VLAN via LLDP) lldp med-tlv-select power-management (Allows Switch and PD to exchange PoE information)


______________________________________________________________________________________________________ 28

STP 802.1w (Spanning Tree Protocol)

Since Nortel IP Phone has two open ports one for the network and the other PC port there is always a chance of connecting both the ports to the Cisco switch and creating a loop. If a loop is detected the last port on the switch that caused the loop will go in blocking mode. Please Note: No configuration is available on Nortel IP phone for STP. This section describes how to configure the Spanning Tree Protocol on Catalyst 3750 switch. The switch uses the following Spanning Tree Protocols PVST+ (Based on the IEEE 802.1D standard and Cisco proprietary extensions, Dafault) rapid-PVST+ (Based on the IEEE 802.1w standard same as above but rapid convergence) MSTP (Multiple Spanning Tree Protocol, runs on top of PVST+ or rapid-PVST+) Configuring the switch for spanning tree Mode configure terminal Spanning-tree mode (Three options available below)

mst (Multiple spanning tree mode) pvst (Per-Vlan spanning tree mode also the default) rapid-pvst (Per-Vlan rapid spanning tree mode, preferred)

Please use Port Fast on interface connected to Nortel IP Phone to allow immediately connect to the network rather than waiting for the spanning tree to converge. Interface with Port Fast enabled goes through the normal cycle of spanning-tree status when the switch is restarted the purpose of Port Fast is to minimize the time interfaces must wait for spanning-tree to Converge. Port Fast will immediately bring an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. Configuring the switch for spanning tree port fast configure terminal spanning-tree port fast (Moves all the ports directly to the spanning-tree forwarding state) Or at interface level if you do not want all the ports in port fast state interface GigabitEthernet1/0/1 Spanning-tree port fast (Moves the port directly to the spanning-tree forwarding state) Use the show spanning-tree command to check STP settings. Clab_3750#show spanning-tree VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32809


______________________________________________________________________________________________________ 29

Address 0018.1928.f500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32809 (priority 32768 sys-id-ext 41) Address 0018.1928.f500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi1/0/1 Desg FWD 4 128.4 P2p Edge


______________________________________________________________________________________________________ 30

****************************************************END***************************************************** The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, the Nortel logo and the Globemark are trademarks of Nortel Networks.

Documents

Nortel IP Phone Inter-Working with Cisco L2 Switches